A security researcher working for another company recently published a blog post stating that they could potentially perpetrate a phishing attack targeting users of a website that uses Auth0 authentication. Note that phishing is not the same as hacking a code vulnerability, and therefore, no software patches can be applied because no flaw exists in Auth0's system. Let’s explore the mechanism behind this theoretical phishing attack, the prevalence of social engineering scams in today’s tech industry, and what companies and their users can do to better protect themselves.

What is Phishing?

Phishing is a type of social engineering cyber attack that has been around since the 1990s and is still extremely prevalent today. Phishing typically begins with email. Emails are sent to target individuals, and these emails contain links or attachments that have malicious intent: either to install malware on the user’s device, or get them to enter sensitive data into a website that masquerades as legitimate.

Phishing attacks are growing increasingly sophisticated in the modern landscape of the internet, and the intent is to deceive people into providing protected information, often credentials. Regardless of sophistication, however, the premise of phishing is still very straightforward.

Consider this sequence of events, for example:

  1. A user of Service A (service-a.com) is sent an email that appears to be from Service A. The email tells the user they need to log in using a link in the email.
  2. The user clicks on the link, which takes them to a login page at malicious-service-a.com (not the real website at service-a.com).
  3. The page has been styled to look like a legitimate page from Service A, so the user enters their credentials into the login form.
  4. The credentials have then been given to the attacker, who can now access the real Service A with the victim’s stolen login information. In addition, due to the common practice of password reuse, the attacker may even have access to other accounts that the victim holds on other sites.

This is just one possible example of a phishing scam flow. The attacker could just as easily ask for other kinds of personal information, or request that the user download a malicious email attachment.

Phishing with Auth0 Subdomains

The specific idea behind the security researcher’s phishing scam was a way to target a website that uses Auth0 authentication. Auth0 supports regional subdomains: auth0.com, eu.auth0.com, and au.auth0.com. A bad actor could potentially attempt to scam users of a website or application that uses one of the subdomains by registering any of the other regional subdomains while using the same name. The attacker could then set up a custom page on their subdomain and, assuming that they had access to the email addresses of users, send them a link and attempt to solicit secure information from them. Similar scams could be attempted using any domain that users could mistake for a legitimate one.

Cross-Site Scripting, or XSS, was not used in the exploration of a phishing attack that could use Auth0 regional subdomains to trick users. XSS describes the injection of malicious scripts into a vulnerable web application. This exploration relied on using a custom Auth0 page in a subdomain in another region, but no malicious cross-site code could be injected. The ability to include JavaScript in custom pages is a feature available to Auth0 customers to enable necessary flexibility. However, cross-site code cannot be executed from these pages.

This Attack is Not New and Not Unique

As stated previously, phishing attacks have been around for decades: almost thirty years, in fact. They have become more sophisticated and insidious in their execution, but they rely on tricking people into divulging confidential information: these kinds of attacks are referred to as social engineering. In these scams, it is common for malicious actors to use domains that look very similar to the target domain to make their phishing attempt more convincing. This is still true now, as well as historically.

"It's unclear why the researcher used Auth0 as a common example of phishing targeting Auth0. There are no vulnerabilities here and their research doesn't show anything new. It is simply another example of possible phishing. The same could be done with the anycompany.com website by using a look alike domain and then setting up a login page same as this one https://www.anycompamy.com/Login."

–Cesar Cerrudo, globally recognized security expert and CTO at IOActive Labs

No company that has users with email addresses is impervious to phishing scams. There are thousands of ways to perpetrate the same kind of phishing attempt on any company, aside from Auth0, making the attacks quite prevalent in the tech industry.

Phishing Relies on Tricking Users

Phishing is not the same as hacking a code vulnerability, and therefore, no software patches can be applied because no flaw exists in Auth0’s system. The particular phishing attack described by the security researcher is not being actively used. Auth0 provides security measures to help prevent credential harvesting via phishing, such as Single Sign-On, Multifactor Authentication, and Passwordless. In addition, Breached Password Protection, Brute Force Protection, and Anomaly Detection can help mitigate the potential outcomes of phishing attacks. Auth0 also supports the use of Custom Domains, which removes auth0.com (or regional auth0.com subdomains) from your application and replaces with a domain of your choosing, which completely eliminates the ability of an attacker to perform this scam using Auth0 subdomains.

However, it is important to remember that phishing scams are quite common and easy to execute if an attacker already has your users’ email addresses. Although using an Auth0 Custom Domain or registering all regional Auth0 subdomains eliminates the attack avenue described in this specific case, an attacker could still register any other Top Level Domain name that is similar to yours and attempt to deceive your users. For example, if your company’s login domain is login.real-company.com, a phishing attack could be perpetrated from a similar domain, such as login.rea1-company.com. In addition, a bad actor could just as easily send a malicious email attachment to your users instead.

Protecting Your Company and Users

The safety of companies and their users should be the paramount concern when discovering and sharing information regarding security. Not committing to thorough research can negatively impact customers, users, and the general technology community.

Any company implementing authentication of any kind — proprietary or using an Identity and Access Management platform such as Auth0 — should have security practices in place to mitigate phishing attacks. These practices should include regular internal anti-phishing campaigns and training, as well as Multifactor Authentication or Passwordless. Monitoring for lookalike domain names is also recommended. With the proliferation and increasing cleverness of phishing scams, the importance of awareness and training cannot be understated.